Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save janus57/d6f760350f3058ef0e30 to your computer and use it in GitHub Desktop.
Save janus57/d6f760350f3058ef0e30 to your computer and use it in GitHub Desktop.
hackers seem to like base64 (or eval) encoding their php commands
#!/bin/bash
# This will find ANY "base64" or "eval(" or "eval)" which are potentially a malware and write all output in detections.txt
# WARNING : This bash script need to be executed in the "infected" folder, like /var/www/
find . -type f -exec grep -Hn "base64\|eval(\|eval)" '{}' \; &> detections.txt
test_find/test.js:1:eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA==')));
test_find/test.js:2:e=(eval);
test_find/test.tpl:1:eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA==')));
test_find/test.php:1:eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA==')));
root@test:/var/www# ll test_detection/
total 12
-rw-r--r-- 1 root root 74 avril 6 00:45 test.js
-rw-r--r-- 1 root root 64 avril 6 00:14 test.php
-rw-r--r-- 1 root root 64 avril 6 00:14 test.tpl
root@test:/var/www# cat test_detection/test.js
eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA==')));
e=(eval);
root@test:/var/www# cat test_detection/test.php
eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA==')));
root@test:/var/www# cat test_detection/test.tpl
eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA==')));
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment